BTer recently suffered a hack of over 51 million NXT, which was its single largest market. They were, with the help of a negotiator, able to recover most of the funds. This morning, we were handed a sort of self-interview / narrative written by the key negotiator himself. While we are not in the practice of posting information handed to us verbatim, this piece included exclusive and important information. The way this information was given to us also makes it an extremely compelling narrative,
So, what follows is the story of the hack, as told from Jean-Laurent Tari, also known as DoM P on the NXT Forum, the CEO of CFA Consulting and the key negotiator in the deal that saved BTer from complete disaster. It is important to note that the opinions expressed below are his own. We have contacted him for follow up questions and will note them at the end of the article. The following appears, aside from some minor editing and formatting, exactly how we received it. It appears that Tari may have expected us to post it as an interview that we did with him, (judging by the first “question”) but that is not something we do here. That said, it is still an extremely compelling narrative of how CFA Consulting was able to bring one exchange back from the brink of disaster.
Jean, why did you contact us for this interview?
The information that BTer was hacked and that 85% of the stolen NXT were returned is now well spread.
What is not yet known is what happened exactly. Since BTer has decided to come out and announce details about the story, an interview was sought with Mr Tari to learn more about this.
Be ready for a long story…
So, what do you know about the BTer’s hack itself?
The hacker studied BTer and somehow got information about their developers. He then searched information about them, where they had accounts, what online services they used, etc. At some point, he was able to hack into one of those accounts and get the password. That original hack is not linked to BTer’s lack of security, but that of the site. The problem was that this same password was used internally by that developer. So the hacker used this password to get access to privileged information from the BTer database.
“Over 51 million NXT was thus stolen, worth $1.75 million”
Unfortunately, BTer, which had set up 2-factor authentication for accessing most of the sensitive systems, had neglected to do so with their main exchanged currency: NXT. To worsen the situation even further, most of the NXT was in a “hot” wallet. That is, a wallet directly accessible from the site in real time. On the 15th of August, over 51 million NXT were thus stolen, worth $1.75 million.
How did you find the hacker?
The next day (Saturday, the 16th), Bas Wisselink introduced me to Lin, one of the developers at BTer’s, and we started to talk about this issue and its consequences (technical, financial, legal, etc.). Naturally, Lin was highly stressed and welcomed suggestions about the handling of the situation: he had tried to negotiate with the hacker, sent Bitcoins to get the Nxt back, but the deal was broken by the hacker. Lin also wanted help to forge a fork of the NXT blockchain so to create a version of it in which the hack didn’t take place (see previous article here). I told Lin this would not happen, and that major Nxt owners including me were against this idea, as it would kill Nxt as a trustworthy currency: The hack had nothing to do with Nxt, only BTer was responsible, so BTer had to deal with this. With our help, that is.
“We had a credible profile: young male, late twenties to early thirties, computer expert,
very proud of his act and egocentric”
I offered my services to help get the funds back and Lin accepted, so we discussed a “reasonable” price to buy the Nxt back. An offer was made by Lin through the Nxt forum. While the subject was wildly discussed there, I had a talk with Bas Wisselink (Damelon on the Nxt forum) and Florine Oury (Amadeus), one of the co-founders of Crypto Finance Analysis Consulting and a psychologist. Both helped a lot in understanding the hacker: what kind of human was he? How to get through to him? After a while, we had a credible profile: young male, late twenties to early thirties, computer expert, very proud of his act and egocentric. From that derived our strategy to communicate with him. An anonymous web page was created (we didn’t want the action to be linked to us until the end of a possible deal with the hacker) and, at 02:00 AM CET the next day (Sunday, the 17th), I got in touch with Lin from BTer to tell him about the plan: talk to the guy the way he needed to be talked to, to bring him to send some of the money back.
Then Marcos Lopez Porto (The-Lawyer-of-NXT on the forum, CEO of NXT Legal), whom I needed to talk to about legal issues regarding the situation, came online. We discussed a bit then I gave him Lin’s account on Skype so he could chat directly with him. At 03:12 AM CET, Lin accepted the contact and Marcos told me he’d start chatting with him. Since I also urgently needed to talk with Lin, I asked him if he was up.
What was so urgent?
I had to talk to him about the plan to get to the hacker. But I soon learned it was not necessary: the hacker was here. He may have decided to contact us when he got to learn about the web page I had set up here. The good thing was that the hacker seemed to trust he could have a deal through me. Then started a long night.
“This was the beginning of a lengthy poker game”
So we started a three-way Skype chat with Lin, the hacker, and me. I first asked for a proof of him really being the hacker. This transaction did prove it, so I went on talking to him and telling him what he needed and wanted to hear: how good and brilliant he was, how bad BTer’s security was, that his deed would be remembered forever, etc. Being myself an expert at computers, I brought the hacker (calling himself The Sir) to brag about how he managed to get through BTer’s security. After this icebreaker, we started talking business: I clearly told him what was at stake for him (the risk of a rollback of the blockchain, the risk that we’d hunt him down to his last day, jail, etc.). This was the beginning of a lengthy poker game between the hacker (playing confident), Lin (extremely worried and stressed, therefore not in a state to negotiate with what he saw as a weak hand), and I (knowing I had a stronger hand that it seemed: there was a possibility that the blockchain could be rolled back, to erase all traces of his deed).
This discussion went on for hours, the hacker asking for much more than BTer could actually pay, and myself trying to make him understand that he should ask for things that were actually possible to do. Meanwhile, I was also chatting with Marcos who also spent the entire night with me, sharing insights about how to handle the situation, and doing research on subjects I needed to know better (legal issues, mainly: the law in China and Russia) but had no time to pursue myself while negotiating.
At some point, you had a deal. What was it exactly?
At 6:15 AM CET, the deal was set: the hacker would return the 46 million NXT that remained on his account against the payment of 400 Bitcoins to a newly created account. This would be done incrementally, starting with smaller amounts and speeding up later. It was decided that I would check, with the help of Marcos, the funds movements on the blockchain to tell Lin when to send some more Bitcoins. Obviously, I had absolutely no trust at all in the hacker’s word. A first batch of 2,333,142 Nxt was sent from the hacker. And once we saw it hit the blockchain, Lin sent 20 Bitcoins. Several batches were done this way, which are visible on the blockchain through the links above: 2m Nxt for 20 Bitcoins, 4m for 40, 4m for 35, 6m for 65, 10m for 80, and 10m for 70. That left us with 8,325,356 remaining in the hacker’s account, and 70 more Bitcoins to pay.
“It is not surprising that such a person doesn’t keep his word, it comes with the character”
08:00 AM CET, the hacker decided to keep the rest of the NXT and leave it at that. We tried to get in touch with him several times during the next two days, to no avail. It is not surprising that such a person doesn’t keep his word, it comes with the character.
Despite the break of the deal by the hacker, this outcome is very good for the Nxt community, and BTer operators have workable options in front of them. We will go on helping them as we can, but this part of the communication is BTer’s responsibility.
“We were highly successful: 85 % of the funds were returned: $1.5 million worth of Nxt”
What about the hacker? This was only the first part of the battle. We were highly successful: 85% of the funds were returned, $1.5 million worth of Nxt, but now is time to work on getting the rest back. It was obvious from the profiling we had made of the hacker that he thought he was smart and cunning. So we talked a lot, saved logs, got information about him. A whole community is now after him, and we started to make progress. So the story will most probably not end here. Contacts with the police will be made shortly, and we will share all the interesting information we have gathered about him with them. Meanwhile, the hacker is trying to hide his Bitcoins. He started moving them around from the receiving account. From now on, one little mistake made by the hacker, and he’ll see a jail from the inside. A bounty on his head will probably be created soon.
“Crooks sent mails to BTer, trying to impersonate the hacker, and asked for some BTC in exchange for the Nxt being returned”
That is not all: There are some other issues that arose during this time, and they will also have to be dealt with:
Before we had a chance to talk to the hacker, some people offered him to buy some of the Nxt back at cheap price. This is illegal in most countries and our legal department is working on this on the charge of handling of stolen goods. We advise people who communicated through the blockchain with the goal of getting some cheap Nxt at the expense of the others to come and contact us to seek legal advice and see if a deal can be made to keep them out of trouble. If they don’t, BTer will seek them and sue them, which may pay for part of their loss.
As soon as people noticed we had a deal and the Nxt was being sent back to BTer’s address, some crooks sent mails to BTer, trying to impersonate the hacker, and asked for some btc in exchange for the Nxt being returned. This, again, was illegal and we have details about them, so BTer may very well sue them also. Again, it may be a good idea to contact us to seek legal advice.
Decentralization can be great, but sometimes it is hard to work on a secret deal while people talk on an open forum and give out information that, while not secret, was not necessarily known by the hacker. On several occasions, we would have preferred to see less activity on the forum. As to now, the hacker can still connect on the forum and read insightful information. Work will be done to find a solution to this problem, if the need for secrecy arises again some time in the future. We learned a lot while solving this issue. We now need a good debrief with the community and share the lessons we’ve learned.
One last note: We have talked a lot with BTer, and it seems their security has tightened a lot since the incident. We were assured that this couldn’t happen again.
Many thanks to those who helped, especially Florine Oury, Bas Wisselink, and Marcos Lopez Porto who helped for the deal, and Come-from-Beyond and Jean-Luc who helped BTer on technical issues.
As mentioned, we have contacted Tari for follow up questions, of particular note is his threat to sue those that impersonated the hacker and those that asked the hacker to sell them some NXT. While there certainly could be an argument made that such acts were illegal, we would recommend contacting a lawyer before coming to any settlement with BTer.com. We also asked him about the secrecy comments regarding the board. He clarified that he did not mean for those comments to be inturrpreted as something that would interfere with free speech on the NXT forum. Rather, he wants to see the creation of a disaster task force and a list of optional guidelines for the community just incase a similar situation presents itself in the future. He also assures me that the hunt for the hacker is ongoing.